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Abstract 

Recently, an image encryption scheme based on chaotic standard and logistic maps was pro- 
posed. This paper studies the security of the scheme and shows that it can be broken with only 
one chosen-plaintext. Some other security defects of the scheme are also reported. 
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c/J ', 1. Introduction 

U : 

With the rapid development of information technology, multimedia data are transmitted over 
all kinds of wired /wireless networks more and more frequently. Consequently, the security of mul- 
timedia data becomes a serious concern of many people. However, the traditional text encryption 
\ schemes can not be used in a naive way to protect multimedia data efficiently in some applica- 
tions, mainly due to the big differences between textual and multimedia data and some special 
requirements of the whole multimedia system. This challenge stirs the design of special multime- 
dia encryption schemes to become a hot research topic in multimedia signal processing area in the 



qs^ ' past decade. Because of the subtle similarity between chaos and cryptography, a great number of 
multimedia encryption schemes based on chaos have been presented [l|, |2J, y, IJ]. Unfortunately, 
many of them have been found to have security problems from the cryptographical point of view 
[E 0> 0, 0, 0| ■ Some general rules about evaluating security of chaos-based encryption schemes can 
be found in 13, U]. 



Since 2003, Pareek et al. have proposed a number of different encry ptio n schemes based on 
one or more chaotic maps [tH . 13, 14, fl5l) . Recent cryptanalytic results |ld . 17J3 have shown 



that all the three schemes proposed in [12j, 1 131 . Il4( ] have security defects. In [15(, a new image 



encryption scheme based on the Logistic and standard maps was proposed, where the two maps 
are used to generate a pseudo-random number sequence (PRNS) controlling two kinds of encryption 
operations. The present paper focuses on a re-evaluation of the security of this new scheme, and 
reports the following findings: 1) the scheme can be broken with only one chosen image; 2) there 
are also some other security defects of the scheme. 
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The rest of this paper is organized as follows. Section [5] introduces the image encryption scheme 
under study briefly. Our cryptanalytic results are presented in Sec. [3] in detail. The last section 
concludes the paper. 



2. The image encryption scheme under study 

The plaintext encrypted by the image encryption scheme under study is a RGB true-color image 
of size M x N (height x width) , which can be denoted byanMxiV matrix of 3-tuple pixel values / = 
{(R(i,j), G(i,j),B(i,j))}o<i<M-i ■ Denoting the cipher image by I' = {(R'(i,j), G'(i,j),B'(i,j))}o<i<M-i 

0<j<JV-l _ 0<j<AT-l 

the image encryption scheme can be described as followd_|. 

• Secret key: three floating-point numbers xq, yo, K, and one integer L, where xq, yo € (0, 2ir), 
K > 18, 100 < L < 1100. 

• Initialization: prepare data for encryption/decryption by performing the following steps. 

a) Generate four XO Ring keys as follows: Xkey(0) = [256xq / (2tt) \ , Xkey(l) = |_256yo/(27r)J , 
Xkey{2) = [K mod 256J, Xkey(3) = (L mod 256). 

b) Iterate the standard map Eq. (JTJ) from the initial conditions (xo, yo) for L times to obtain 
a new chaotic state (x ,y Q ). Then, further iterate it for MN more times to get MN 



chaotic states {(xi,Vi)}i 



(x = (x + K sm(y)) mod (2ir), 
y = (y + x + K sin(y)) mod (2tt), 

c) Iterate the Logistic map Eq. ([2]) from the initial condition zq = ((x' Q + y' Q ) mod 1) for 
L times to get a new initial condition z' . Then, further iterate it for MN times to get 
MN chaotic states . 

z = Az{l-z). (2) 

d) Generate achaotic key stream (CKS) image Icks = {(CKSR(i, j), CKSG(i, j), CKSB(i, j))}o<;<m-i 

0<j<Af-l 

as follows: CKSR(i,j) = L256x fc /(27r)J , CKSG(i,j) = [256y k /(2ir)\ and CKSB(i,j) = 
[256zfcJ , where k = iN + j + 1. 

Encryption procedure: a simple concatenation of the following four encryption operations. 

— Confusion I: masking the plain pixel values by the four XORing keys {Xkey(i)}f =0 . 
For k = 0, . . . , MN — 1, do the following masking operations. 

R*(i,j) = R(i,j) © Xkey((3 ■ k) mod 4), (3) 
G*{i,j) = G(i,j) © Xkey({3 ■ k + 1) mod 4), (4) 
B*(i,j) = B(i,j)®Xkey((3-k + 2)mod4:), (5) 

where i = [k/N\, j = {k mod N). 



1 To make the presentation more concise and complete, some notations in the original paper are modified. 
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— Diffusion I: scanning all pixel values from the first one row by row (from top to bottom), 
and masking each pixel (except for the first scanned pixel) by its predecessor in the scan. 
Set if (0,0) = i?*(0,0), G*(0,0) = G*(0,0), 5*(0,0) = B*(0,0). For k = 1,...,MN-1, 



R*(i,j) = R*{i,j)®R*(i',f), (6) 
G*(i,j) = G*(i,j)(BG*(i>,j'), (7) 
B*(i,j) = B*(i,j)®B*(i>,f), (8) 

where i = [k/N\, j = (k mod N), i' = [(k - l)/iVJ and f = ((k - 1) mod N). 

— Diffusion II: scanning all pixel values from the last one column by column (from right 
to left), and masking each pixel (except for the first scanned pixel) by its predecessor in 
the scan. 

Set R**(M - 1,N - 1) = R*(M - 1,N - 1), G**(M - l,N - 1) = G*(M - l,N - 1), 
B**(M - 1,7V- 1) = B*(M - 1,N - 1). For k = MN - 2,... ,0, 

R**{i,j) = R*(i,j)®G**(i',j')®B**(i',j'), (9) 
G**(i,j) = G*(i,j)®B**(i/,f)®R**(i/,f), (10) 
B**(i,j) = B*(i,j)®R**(i',j')®G**(i',f), (11) 

where i = (k mod M) and j = [k/M\, i' = {(k + 1) mod M), j' = [{k + 1)/MJ. 

— Confusion II: masking the pixel values with the CKS image pixel by pixel. 
For k = 0, . . .,MN - 1, 

R'(i,j) = R**(i,j)(BCKSR(i,j), (12) 
G'(i,j) = G**(i,j)®CKSG(i,j), (13) 
B'(i,j) = B**(iJ)®CKSB(i,j). (14) 

where i = [k/N\, j = {k mod N). 
• Decryption procedure: the simple reversion of the above encryption procedure. 

3. Cryptanalysis 

3.1. A chosen-plaintext attack 

In the chosen-plaintext attack, the attacker can choose plaintexts arbitrarily and obtain the 
corresponding ciphertexts. The goal of the attack is to gain some further information which helps 
reveal the other plaintexts encrypted with the same secret key. For the image encryption scheme 
under study, an equivalent version of the secret key can be reconstructed easily from only one pair 
of chosen-plaintext as shown in Proposition 1. 

Lemma 1. Let I** denote the encryption result of I without performing the two confusion steps. 
Then, I' = I** © I* x * key (B I C KS- 

Proof. After the first confusion step, J* = I @ Ixkey, where Ixkey is the pseudo-image composed 
of the four XORing keys. Observing the operations involved in the two diffusion steps, we can see 
both steps can be performed on I and Ixkey separately and XOR the results, which means that 
/** = /** ®I*x*key Then, after performing the last confusion step, we have i 7 = I** ffi I*xk ey ffi IcKS, 
which proves this lemma. □ 
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Proposition 1. If Iq is a zero image, i.e., Iq = ; then I' = I** © 

Proof. This is a straightforward result of the fact Iq = © Ixkey — Ixkey D 

In case Iq is known, the above proposition means that the plain-image J can be recovered from 
I' by the following steps: 1) I** = I' © Iq, 2) perform the two diffusion steps on I** in an inverse 
order, which exactly recovers i\ In other words, by taking Iq as a chosen-image, we can get an 
equivalent key I' to decrypt any cipher- image encrypted with the same secret key (xo, yo, K, L). 

We have performed some experiments to verify the correctness of the above chosen-plaintext at- 
tack. With the secret key (x ,y ,K,L) = (3.98235562892545, 1.34536356538912,108.54365761256745, 
110), the equivalent key Iq was constructed from the zero image, which are shown in Figs. [T^ and 
b, respectively. Then, I was used to recover the cipher-image shown in Fig. and successfully 
recovered the plain-image "Lenna" (Fig. [TJi). 
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3.2. Some other security problems 

3.2.1. Insufficient randomness of the PRNS {CKSB(k)} 

As illustrated in [l^] , the randomness of the pseudo-random bit sequence derived from chaotic 
states generated by iterating Logistic map is very weak. To further verify the randomness of the 
PRNS {CKSB(k)} generated via the Logistic map of fixed control parameter, the NIST statistical 
test suite (2(i| was employed to test the randomness of 100 PRNSes of length 512 • 512 = 262144 
(the number of bytes used for encryption of a 512 x 512 plain color image). Note that the 100 
sequences were generated with randomly selected secret keys. For each test, the default significance 
level 0.01 was used. The results are shown in Table [H from which one can see that the PRNS 
{CKSB(k)} is not random enough. 

Table 1: The performed tests with respect to a significance level 0.01 and the number of sequences passing each test 
in 100 randomly generated sequences. 



Name of Test 


Number of Passed Sequences 


Frequency 


95 


Block Frequency (m = 100) 





Cumulative Sums-Forward 


93 


Runs 





Rank 





Non-overlapping Template (m = 9, B = 010000111) 


10 


Serial (m = 16) 





Approximate Entropy (m = 10) 





FFT 






3.2.2. Insensitivity with respect to change of plaintext 

In [151 . Sec. 5.5], it is recognized that the sensitivity of cipher-image generated by an image en- 
cryption scheme with respect to change of plain-image is very important, but the image encryption 
scheme under study is actually very far from the desired property. As well known in cryptography, 
this property is termed as avalanche effect. Ideally, it requires the change of any single bit of 
plain-image will make every bit of cipher-image change with a probability of one half. However, 
the image encryption scheme under study can not satisfy this property due to the following points. 

• Only one kind of operation (XOR) is involved in the whole scheme; 

• Any bit of plain-image only influences the bits at the same level in the cipher-image; 

• Any pixel of plain-image does not influence other pixels in the cipher-image uniformly. 

To show this defect clearly, we made an experiment by changing only one bit of the red channel 
of the plain-image shown in Fig. [TH. It is found that only some bits at the same level in the 
corresponding cipher-image were changed. The locations of the changed bits are shown in Fig. [2j 
in which the white dots denote changed locations and black ones denote unchanged ones. 
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a) 



Figure 2: The locations of changed bits in different color channels of the cipher-image, when the 6-th bit of the red 
component of the pixel at location (127, 127) in the plain-image was changed: a) red channel; b) green channel; c) 
blue channel. 

4. Conclusion 

In this paper, the security of a new image encryption scheme based on two chaotic maps is 
analyzed in detail. It is found that the scheme can be broken with only one chosen plain-image. 
In addition, some other security defects about randomness of a PRNS involved, and sensitivity 
with respect to change of plain-image are also reported. Due to such a low level of security, we 
recommend not to use the image encryption scheme under study in any serious applications. 
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